CLAIMS 

WHAT IS CLAIMED IS: 

1 . A process for protecting a computer from hostile code, comprising the steps of: 
defining at least two trust groups; 

assigning objects and processes in the computer to one of said trust groups, irrespective of 
the rights of a user of said computer; 

upon operation of a process over an object or over a second process, comparing a trust 
group of the process with a trust group of the object or with the trust group of the second 
process, and 

allowing the operation according to the results of said comparing step. 

2. The process of claim 1 wherein a process is assigned upon creation to the trust group 
assigned to the passive code starting from which the process is created. 

3. The process of claim 1 further comprising the step of changing the trust group of said 
process after said operation. 

4. The process of claim 1 further comprising the step of changing the trust group of said 
object or of said second process after said operation. 

5. The process of claim 1 further comprising, upon creation of an object by a process, 
the step of assigning said created object to the trust group of said process. 

6. The process of claim 1 further comprising, when said operation is allowed, the step 
of assigning said process to the trust group of said object or of said second process. 

1. The process of claim 1 wherein said trust groups are hierarchically ordered, and 
wherein the step of allowing further comprises: 

allowing said operation when the trust group of said process is higher or equal in said 
hierarchy than the trust group of said object or of said second process; and 
denying said operation when the trust group of said process is lower in said hierarchy than 
the trust group of said object or of said second process. 

8. The process of claim 7 further comprising the step of assigning said process to the 
trust group of said object or of said second process after the operation is allowed. 

9. The process of claim 1 further comprising: 
defining at least two types of objects; 
assigning objects to one of said types; and 

wherein the step of allowing operation over an object is further carried out according to the 
type of said object. 

10. The process of claim 1 further comprising: 
defining at least two types of processes; 
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assigning processes to one of said types, and 

and wherein the step of allowing operation of a process is further carried out 
according to the type of said process. 

1 1 . The process of claim 1 , further comprising: 
defining at least two types of operations; and 

wherein the step of allowing operation of a process over an object or over a second 
process is further carried out according to the type of said operation. 

12. The process of claim 1, further comprising: 
defining at least two types of storage methods, 
assigning a trust group to a type of storage methods; and 

carrying out a storage operation for a process of a trust group according to the storage 
method assigned to the trust group of said process. 

13. A computer comprising : 
objects and processes; 

a table of at least two trust groups, and objects and processes in the computer being 
assigned to one of said trust groups irrespective of the rights of a user of said 
computer; and 

a controller configured to access said table and allow an operation of a process over 
an object or over a second process according to the results of a comparison of the 
trust group of said process and the trust group of said object or the trust group of said 
second process. 

14. The computer of claim 13 further comprising: 

a table of types of at least two types of objects, the objects in the computer being 
assigned one type; 

and wherein the controller accesses said table for allowing said operation. 

15. The computer of claim 13, wherein said table of trust groups is stored in a non- 
volatile memory. 

1 6. The computer of claim 13, wherein said table of types is stored in a non-volatile 
memory. 

1 7. The computer of claim 13, further comprising a table of rules, and wherein said 
controller accesses said table of rales. 

18. The computer of claim 13, wherein said table of rules is stored in a non- volatile 
memory. 

19. The computer of claim 13, wherein the computer is operatively coupled to a network, 
the network including a server, the table of trust groups stored in said server. 
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A computer according to claim 19, wherein said table of types is stored in said 
A computer according to claim 19, wherein said table of rules is stored in said 



20 



